Thread-topic: [SA21506] MySQL Create Database Bypass and Privilege Escalation
>
> TITLE:
> MySQL Create Database Bypass and Privilege Escalation
>
> SECUNIA ADVISORY ID:
> SA21506
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Not critical
>
> IMPACT:
> Security Bypass, Privilege escalation
>
> WHERE:
> From local network
>
> SOFTWARE:
> MySQL 5.x
>
>
> DESCRIPTION:
> Two vulnerabilities have been reported in MySQL, which can be
> exploited by malicious users to bypass certain security restrictions
> and perform certain actions with escalated privileges.
>
> 1) A user, who has been granted access to a certain database but not
> privileges to create additional databases, can create a database
> where the name differs only by the case of one or more letters from
> the database which the user has access to.
>
> Successful exploitation requires that MySQL runs on a system with a
> file system supporting case-sensitive file names.
>
> 2) An error caused due to arguments to suid routines being calculated
> in an incorrect security context can be exploited to execute arbitrary
> DML statements with the privileges of the routine's definer via a
> stored routine.
>
> Successful exploitation requires that the user has "EXECUTE"
> privileges on the stored routine.
>
> SOLUTION:
> The vulnerabilities have been fixed in the CVS repository and will
> also be fixed in the upcoming 5.0.25 version.
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) Michal Prokopiuk
> 2) Dmitri Lenev
>
> ORIGINAL ADVISORY:
> MySQL:
>
>
>
